Date: Sat, 16 May 2015 11:45:27 +0300
From: Michael Tokarev <mjt@....msk.ru>
To: oss-security@...ts.openwall.com
CC: qemu-devel <qemu-devel@...gnu.org>
Subject: Re: QEMU 2.3.0 tmp vulns CVE request
[Adding Cc qemu-devel@]
13.05.2015 19:23, Kurt Seifried wrote:
> So some suspicious looking tmp usage in qemu (I excluded the test
> scripts and builds scripts, they were rife with problems so hopefully
> people only build in trusted environments).
>
> Additionally there will no doubt be further QEMU issues found in the
> next few days/weeks as people start looking, I would ask that this be
> handled publicly unless it's Remote Code Exec or equivalent (e.g.
> CVE-2015-3456).
>
>
>
> ====================================================================
> http://wiki.qemu-project.org/download/qemu-2.3.0.tar.bz2
>
> ====================================================================
> ./roms/u-boot/tools/patman/series.py:
> ./roms/u-boot/lib/lzma/import_lzmasdk.sh
This is part of u-boot source maintained externally but included
in qemu sources tarball. It is not used directly even for building
qemu, used only by relevant maintainers when they update files in
pc-bios/ which are produced from this set of sources. If the bug
is to be assigned, it should be filed against u-boot not qemu.
> ====================================================================
> ./roms/ipxe/src/util/niclist.pl:
The same thing, it is ipxe source, not used by qemu in any way.
> ====================================================================
>
> ./net/slirp.c:
> snprintf(s->smb_dir, sizeof(s->smb_dir), "/tmp/qemu-smb.%ld-%d",
> (long)getpid(), instance++);
This one is real, used for -smb argument, to start smbd, making
its configuration. Maybe tmpnam() should be used here.
> ====================================================================
> ./tcg/tcg.c:
> #ifdef DEBUG_JIT
> /* Enable this block to be able to debug the ELF image file creation.
> One can use readelf, objdump, or other inspection utilities. */
> {
> FILE *f = fopen("/tmp/qemu.jit", "w+b");
> if (f) {
> if (fwrite(img, img_size, 1, f) != img_size) {
> /* Avoid stupid unused return value warning for fwrite. */
> }
> fclose(f);
> }
> }
> #endif
This is solely for debugging by JIT maintainers. Not useful for or
used by users.
>From all the above, only net/slirp.c issue might be of interest.
Thanks,
/mjt